Security Basics mailing list archives
Re: Some rare log entry on our wiki server
From: Andrew Smith <stfunub () gmail com>
Date: Thu, 3 Feb 2005 20:53:43 +0000
This is an attempt to exploit the WEBDAV vulnerability in ISS servers. Nothing to worry about, it will be fully patched but the worms are still out and about. I get about 100 of these a day on my I.P range (local isp). On Thu, 3 Feb 2005 00:37:56 +0100, Joachim Schipper <j.schipper () math uu nl> wrote:
On Wed, Feb 02, 2005 at 09:49:10AM +0100, Pere Urbon Bayes wrote:I have one LAMP wiki server, and today I found one rare log entry. I was looking for it on google, but he didn't give me any answer!! :<. Any one of you have any idea about it? I'll been very thankful. My log entry was: GET /SEARCH%20/%5Cx90%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9% 5Cxc9%5Cxc9%5C It's very long, but i didn't post it all. ThanksIt's a buffer overflow attempt, someone trying to crack open your web server. It probably failed, or you wouldn't be seeing this entry! You can try to look up the specific shellcode used (and logged, above) on the web, though I'd recommend going for the last part - this is probably just a NOOP sled, while the actual code is at the end. However, I wouldn't worry too much about it. I see such an attempt every couple of days. If you are security conscious, put Apache in a chroot() jail and add mod_security. Joachim
-- zxy_rbt2
Current thread:
- Some rare log entry on our wiki server Pere Urbon Bayes (Feb 02)
- Re: Some rare log entry on our wiki server Joachim Schipper (Feb 03)
- Re: Some rare log entry on our wiki server Andrew Smith (Feb 04)
- Re: Some rare log entry on our wiki server hackman (Feb 07)
- Re: Some rare log entry on our wiki server Joachim Schipper (Feb 03)